(Immunix Issues Fix) Sendmail Command Line Debugging Validation Flaw Lets Local Users Execute Arbitrary Code and Gain Root Privileges
SecurityTracker Alert ID: 1002265|
SecurityTracker URL: http://securitytracker.com/id/1002265
(Links to External Site)
Date: Aug 27 2001
Execution of arbitrary code via local system, Root access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): versions between 8.10.0 and 8.11.5 as well as all 8.12.0.Beta versions|
SecurityFocus discovered an input validation vulnerability in the Sendmail '-d' debugging facility that allows a local user to execute arbitrary code with root level privileges.|
The vulnerability is reportedly due to a flaw in the use of signed integers in Sendmail's tTflag() debugging function.
A remote user can call sendmail with the '-d' command line switch and can supply a large value for the 'category' part of the arguments to be used as an index for the system's internal trace vector. The user-supplied arguments can apparently cause a signed integer overflow such that the input validation function does not detect that the size of the user-supplied trace vector data exceeds the indicated (and overflowed) length value.
It is reported that the trace vector data is written before the program drops its set user id (suid) root privileges. As a result, a local user can overwrite process memory and cause arbitrary code to be executed with root privileges.
A local user can invoke sendmail and cause arbitrary code to be executed with root level privileges, giving the user root level access on the system.|
The vendor has released a fix. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix.|
Vendor URL: www.sendmail.org/ (Links to External Site)
Input validation error|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Fri, 24 Aug 2001 17:25:34 -0700|
Subject: [Immunix-announce] ImmunixOS 7.0 sendmail update
Immunix OS Security Advisory
Packages updated: sendmail
Affected products: Immunix OS 7.0
Bugs fixed: immunix/1615, immunix/1690
Date: Thu Aug 23 2001
Advisory ID: IMNX-2001-70-032-01
Author: Seth Arnold <firstname.lastname@example.org>
This update fixes two problems with sendmail. The first is a fairly
serious problem handing command line arguments that can lead to root
privileges, discovered by Cade Cairns. The second is a race condition
with the signal handling, discovered by Michal Zalewski, with root
access a possibility.
StackGuard protection from the first problem is minimal -- while it
may prevent trivial exploits from running, StackGuard should not be
counted an effective defense against this problem.
We recommend users upgrade their sendmail as soon as possible. While
Immunix OS 6.2 sendmail is not vulnerable to this problem (per Dave
Ahmed's bugtraq post), we have not researched this issue -- Immunix OS
6.2 is no longer officially supported.
Package names and locations:
Precompiled binary packages for Immunix 7.0 are available at:
Source package for Immunix 7.0 is available at:
Immunix OS 7.0 md5sums:
Our public key is available at <http://wirex.com/security/GPG_KEY>.
*** NOTE *** This key is different from the one used in advisories
IMNX-2001-70-020-01 and earlier.
Online version of all Immunix 6.2 updates and advisories:
Online version of all Immunix 7.0-beta updates and advisories:
Online version of all Immunix 7.0 updates and advisories:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
or one of the many mirrors available at:
To report vulnerabilities, please contact email@example.com. WireX
attempts to conform to the RFP vulnerability disclosure protocol
Immunix-announce mailing list